From 9e59881b3ca3e2b8bfc8498ec5f934bb7c065a94 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= <vili.m.sinerva@gmail.com>
Date: Sat, 21 Jun 2025 16:45:38 +0300
Subject: [PATCH] Move wg-rpi to sops-nix

---
 .sops.yaml                                   |  6 +++++
 flake.nix                                    |  1 +
 hosts/aarch64-linux/wg-rpi/configuration.nix | 20 ++++++++-------
 secrets/wg-rpi.yaml                          | 26 ++++++++++++++++++++
 4 files changed, 44 insertions(+), 9 deletions(-)
 create mode 100644 secrets/wg-rpi.yaml

diff --git a/.sops.yaml b/.sops.yaml
index c29295e..e9a5717 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -6,6 +6,7 @@ keys:
   - &idacloud age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2
   - &nextcloud age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x
   - &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9
+  - &wg-rpi age139sl09xkjm4hd0q5e09e0w4ppu8yd65uhu7upjx5v8jn8ef62vfqg309x6
 creation_rules:
   - path_regex: ^secrets/helium/.*\.yaml$
     key_groups:
@@ -43,3 +44,8 @@ creation_rules:
     - age:
       - *vili-bw
       - *vaultwarden
+  - path_regex: ^secrets/wg-rpi.yaml$
+    key_groups:
+    - age:
+      - *vili-bw
+      - *wg-rpi
diff --git a/flake.nix b/flake.nix
index 8ea4b91..44d017b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -74,6 +74,7 @@
                   system = "aarch64-linux";
                   modules = [
                     { networking.hostName = host; }
+                    sops-nix.nixosModules.sops
                     ./hosts/aarch64-linux/${host}/configuration.nix
                   ];
                 }
diff --git a/hosts/aarch64-linux/wg-rpi/configuration.nix b/hosts/aarch64-linux/wg-rpi/configuration.nix
index 76be4d4..5dc0503 100644
--- a/hosts/aarch64-linux/wg-rpi/configuration.nix
+++ b/hosts/aarch64-linux/wg-rpi/configuration.nix
@@ -1,15 +1,22 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 let
   #  SSID = "ENTER_SSID";
   #  SSIDpassword = "ENTER_PASSWORD";
   #  interface = "wlan0";
   wg_interface = "end0";
   hostname = "wg-rpi";
-  ddPassFile = "/root/wg-conf/ddPassFile";
 in
 {
   imports = [ ../../../shared/base.nix ];
 
+  sops.secrets = {
+    priv-netflix-wg = {
+      sopsFile = ../../../secrets/wg-rpi.yaml;
+      restartUnits = [ "wg-quick-wg0.service" ];
+    };
+    dd-pass.sopsFile = ../../../secrets/wg-rpi.yaml;
+  };
+
   environment.systemPackages = with pkgs; [
     wireguard-tools
     qrencode
@@ -43,12 +50,7 @@ in
         ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ${wg_interface} -j MASQUERADE
       '';
 
-      # Path to the private key file.
-      #
-      # Note: The private key can also be included inline via the privateKey option,
-      # but this makes the private key world-readable; thus, using privateKeyFile is
-      # recommended.
-      privateKeyFile = "/root/wg-conf/private";
+      privateKeyFile = config.sops.secrets.priv-netflix-wg.path;
 
       peers = [
         {
@@ -91,7 +93,7 @@ in
     domains = [ "netflix.vsinerva.fi" ];
     server = "www.ovh.com";
     username = "vsinerva.fi-dynraspi";
-    passwordFile = ddPassFile;
+    passwordFile = config.sops.secrets.dd-pass.path;
   };
   #################### EVERYTHING BELOW THIS SHOULD NOT NEED TO CHANGE ####################
   system.stateVersion = "24.11";
diff --git a/secrets/wg-rpi.yaml b/secrets/wg-rpi.yaml
new file mode 100644
index 0000000..94e5aac
--- /dev/null
+++ b/secrets/wg-rpi.yaml
@@ -0,0 +1,26 @@
+priv-netflix-wg: ENC[AES256_GCM,data:KpC4tto8D0jiCSza5cqFkVtA9Mjl3H8SUoYNuCUVtPwwgbQS4AUOTcWUmHg=,iv:0YOyBhUrYSqFlhdbtP3v/oD8HkZ84anLojL3vCZF9zo=,tag:S6RZFi6RLx01VFzpv3YzNA==,type:str]
+dd-pass: ENC[AES256_GCM,data:ZdKTZSxW3CQl2OwMeHfips9+pLnYkS0hbQC2fos1tw==,iv:x7u+TWq7OM2R5oboaTR24Ra1glZdwnIr/Xol08iR824=,tag:y89NNqwEeWBSQuHTCsXwEg==,type:str]
+sops:
+    age:
+        - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4aEJIRmt1T1BrY1FNS3RP
+            SHZWWlB6Z010SkhBZ0UrUUJDWlJBQXZkWDFjCk80UTd5dlRSa3F1aXhSNmlwU1BI
+            YWs4d2ZSMm53bmdMKzR0WGhobnpTbVEKLS0tIFIwSEdDV0Zha3pETks3UlRtVmtZ
+            UjFKSFo4ZDVPc2NiWi9RSThhTktlelEK6PJuaJzDyGJwwf7xpXZ29Fmnsn1/URmY
+            Kwc5BCSW2vZWzh0JEfv0L0/gB7Z57y7rMcYqgYCypSn8oT1zc1fdbQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age139sl09xkjm4hd0q5e09e0w4ppu8yd65uhu7upjx5v8jn8ef62vfqg309x6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRLzdqdXZHS2cwTHJwcks3
+            RHdsc1paaW0xRitIUjgyWDluWjlmaHR0Q1FvCkdxUnNLejk1U3pxWXZyM0VDdnEz
+            eTFjWFZMbnl3Q2R5SlJYMlJIZ3B6T3cKLS0tIEhCVVZDdEtTR25BUWg1WTlhVUpy
+            RFpsakNSbDkrR1RNRFRMMEJ1Qm9HeU0Kr6W85PfUsLiuov+DSaVWxJ7hNRVbNZn4
+            zrFHRuri8F1MRAabOMIxB42MYJbCM64eDfDB/qLRTJ92iWLV6i8enA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-21T13:41:38Z"
+    mac: ENC[AES256_GCM,data:xfvH9PkS91VkoXejPilQ+f1pzJZbXiNuj9JtavZKFLUZ8wiYVOsk7dIIz5YhXo0YtEcNy9Uff9Rm5dYzS49aTPVyJHXNKndc7L7sZifZ137VeOgOgE85wXRLm+iGyJbjMYqVcwOQKJ/ERQPzg+uC7NMkdqpqczis1WUm0OHhNfo=,iv:8FybEXz+aLoLmKPHvyQPrawAMzF79dgM0JRta01fCJU=,tag:QgM3pKDA23XGQT1Q0lKnlw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2